from the watching-you-watching-me dept
With the leaked Supreme Court ruling indicating the court is poised to effectively overturn Roe V. Wade, you can expect a new wave of worry about the weaponization and abuse of consumer location data, as states increasingly seek to criminalize abortion — and those aiding others seeking such services.
As if on cue: Motherboard’s latest scoop indicates that data brokers have been busily collecting and selling the location data of users who visit Planned Parenthood abortion clinics, including “aggregated” data on how long visitors were at the clinic and which census block(s) they traveled from:
The company selling the data is SafeGraph. SafeGraph ultimately obtains location data from ordinary apps installed on peoples’ phones. Often app developers install code, called software development kits (SDKs), into their apps that sends users’ location data to companies in exchange for the developer receiving payment. Sometimes app users don’t know that their phone—be that via a prayer app, or a weather app—is collecting and sending location data to third parties, let alone some of the more dangerous use cases that Motherboard has reported on, including transferring data to U.S. military contractors.
Safegraph works with all manner of organizations and companies interested in tracking user movements in significant detail, including, it was also revealed this week, the CDC. Motherboard didn’t find it particularly difficult to purchase its own data trove, including recent visitors to Planned Parenthood, for $160:
SafeGraph classifies “Planned Parenthood” as a “brand” that can be tracked, and the data Motherboard purchased includes more than 600 Planned Parenthood locations in the United States. The data included a week’s worth of location data for those locations in mid-April. SafeGraph calls the location data product “Patterns.” In total, the data cost just over $160. Not all Planned Parenthood locations offer abortion services. But Motherboard verified that some facilities included in the purchased dataset do.
Again, this data can be helpful to everybody from epidemiologists to city planners. But it’s also so incredibly lucrative, we haven’t implemented much in the way of any standards as to how it can be used (as to not stifle innovation, wink wink). As a result, it’s routinely collected without user knowledge or consent, sold without much in the way of safeguards, and distributed widely across countless industries.
As we’ve noted repeatedly, telecom, tech, app, and adtech companies all really enjoy claiming this kind of granular data collection and sale is no big deal because the data being collected is “anonymized.” But studies have repeatedly made it clear that “anonymization” is a meaningless term, since users can be easily identified with just a few additional datasets.
The same was true here, with the privacy impact of aggregation and anonymization being overstated:
SafeGraph’s data is aggregated, meaning it isn’t explicitly specifying where a certain device moved to. Instead, it focuses on the movements of groups of devices. But researchers have repeatedly warned about the possibilities of unmasking individuals contained in allegedly anonymized datasets.
Sections of the SafeGraph dataset Motherboard purchased handle a very small number of devices per record, theoretically making deanonymization of those people easier. Some had just four or five devices visiting that location, with SafeGraph filtering the data by whether the person used an Android or an iOS device as well.
Safegraph didn’t want to respond to a request for comment.
Journalists have been documenting this specific threat to the safety of those seeking abortions for several years. Broader concerns about the harm of location data over-collection and sale aren’t theoretical. There’s been a parade of scandals by a wide variety of companies and services showcasing how the rampant over-collection and sale of location data causes immeasurable harm.
Scandals at Securus, LocationSmart, T-Mobile, Grindr, and others have all brutally illustrated how cellular carriers, app makers, tech companies, and location data brokers routinely collect, buy and sell your daily movement records with only a fleeting effort to ensure all of the subsequent buyers and sellers of that data adhere to basic privacy and security standards. That data is then abused by stalkers, criminals, law enforcement, and anybody with a few nickels to rub together.
While there’s often a lot of pretense to the contrary, U.S. lawmakers didn’t do anything meaningful to tackle this problem not because it’s difficult, but because a long list of industries and companies found the broken and dangerous status quo to be more profitable. And because those companies collectively lobbied a corrupt Congress into a state of perpetual dysfunction and apathy.
The check for that apathy continues to come due. And the idea that this location data won’t be abused by a surging U.S. authoritarian movement seeking to criminalize, vilify, and harass not just those seeking abortion — but those helping and caring for them — seems relatively naïve.
Filed Under: abortion, adtech, apps, consumers, location data, planned parenthood, privacy, smartphonw, surveillance, telecom, wireless
Companies: safegraph